FILE SYSTEM SUPPORT FOR ROLLING KEYS ON FILE EXTENTS
First Claim
1. A method for re-encrypting file extents of files at a computing device, the method comprising:
- by a processor of the computing device;
receiving a request to update an encryption scheme applied to a file, wherein the file is comprised of a plurality of file extents;
identifying, based on metadata associated with the file, at least one file extent of the plurality of file extents that is encrypted using a first encryption key that is to be updated;
decrypting the at least one file extent using the first encryption key;
encrypting the at least one file extent using a second encryption key that is different than the first encryption key; and
updating the metadata to indicate that the at least one file extent is encrypted with the second encryption key.
1 Assignment
0 Petitions
Accused Products
Abstract
This application sets forth a key rolling technique for a file system of a computing device. The key rolling technique allows for files to be transparently re-encrypted in a background process while still allowing applications to access the files being re-encrypted. During re-encryption, at least one file extent of a file is decrypted using a current key for the file extent and re-encrypted using a new key for the file extent. Moreover, the file extent can be relocated to another location in memory during re-encryption to enhance accessibility and crash protection features. Metadata associated with the file can be updated to include information pertaining to both the location of the re-encrypted file extent as well as the new key that can be used to decrypt the re-encrypted file extent. In this manner, the metadata can be used to properly construct a complete file when the file needs to be accessed.
27 Citations
20 Claims
-
1. A method for re-encrypting file extents of files at a computing device, the method comprising:
by a processor of the computing device; receiving a request to update an encryption scheme applied to a file, wherein the file is comprised of a plurality of file extents; identifying, based on metadata associated with the file, at least one file extent of the plurality of file extents that is encrypted using a first encryption key that is to be updated; decrypting the at least one file extent using the first encryption key; encrypting the at least one file extent using a second encryption key that is different than the first encryption key; and updating the metadata to indicate that the at least one file extent is encrypted with the second encryption key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A non-transitory computer readable storage medium configured to store instructions that, when executed by a processor included in a computing device, cause the computing device to re-encrypt file extents of files at the computing device, by carrying out steps that include:
-
receiving a request to update an encryption scheme applied to a file, wherein the file is comprised of a plurality of file extents; identifying, based on metadata associated with the file, at least one file extent of the plurality of file extents that is encrypted using a first encryption key that is to be updated; decrypting the at least one file extent using the first encryption key; encrypting the at least one file extent using a second encryption key that is different than the first encryption key; and updating the metadata to indicate that the at least one file extent is encrypted with the second encryption key. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computing device configured to re-encrypting file extents of files at a computing device, the computing device comprising a processor configured to cause the computing device to carry out steps that include:
-
receiving a request to update an encryption scheme applied to a file, wherein the file is comprised of a plurality of file extents; identifying, based on metadata associated with the file, at least one file extent of the plurality of file extents that is encrypted using a first encryption key that is to be updated; decrypting the at least one file extent using the first encryption key; encrypting the at least one file extent using a second encryption key that is different than the first encryption key; and updating the metadata to indicate that the at least one file extent is encrypted with the second encryption key. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification